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WHAT IS CLAIMED IS: 

\ 1 . A method of securing a data transaction across a security barrier, the method 
pmpri\ing: 

validating a request message against a predefined request message specification; 
transmitting the validated request message across the security barrier; 
validating a response message against a predefined response message 

specification, the response message corresponding to the validated 
request; and 

transmitting ^e validated response message across the security barrier. 

\ 

2. A method as inclaim 1, 

wherein the request\and response message specifications are predefined in 

accordance wrtii valid request and response message constraints specific to 
an information resource. 

3. A method as in claim 1,\ 

wherein at least one of the request and response message specifications is 
cryptographically secured. 

4. A method as in claim 1, further comprising: 

receiving, at an application proxy, an access request targeting an information 

resource; \ 
formatting the request message in a structured language corresponding to the 

request message specification; and \ 
transmitting the formatted request message to a^secure data broker for the request 
message validating. \ 

5. A method as in claim 1, further comprising: \ 
formatting the response message in a structured languagfe corresponding to the 

response message specification; and \ 
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4 \ transmitting the formatted response message to a secure data broker for the 

5 \ response message validating. 


6. A method as in claim 1, further comprising: 

2 accessing an information resource in accordance with the validated request 

3 Vnessage; and 

4 preparingvthe response message in accordance with the access. 


1 7. A methodNas in claim 6, 

2 wherein the response message is formatted in a structured language corresponding 

3 to the re sW -sage specimen. 


1 


\ 


8. A method as in cla^m 1, 


2 wherein the request message is formatted in a structured language corresponding 

3 to the request message specification; and 

4 wherein the response message is formatted in a structured language corresponding 

5 to the response message specification. 

1 9. A method as in claim 8, 

2 wherein the structured languages coftesponding to the request and response 

3 message specifications included extensible Markup Language (XML). 

1 10. A method as in claim 1, 

2 wherein the request and the response message validatings are respectively 

3 performed at first and second secure da<a brokers on opposing sides of the 

4 security barrier; and 

5 wherein the validated request and response messag^transmissions are between 

6 the first and second secure data brokers. 

1 1 1. A method as in claim 1, wherein the request message validating includes: 
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arsing the request message using Data Type Definitions (DTDs) encoding a 
hierarchy of valid tag-value pairs in accordance with syntax of a valid 
request message; and 
if th\ request message is not successfully parsed, forwarding a response message 
without transmission of the request message across the security barrier. 

12. A method as in claim 1, wherein the response message validating includes: 
parsing the response message using Data Type Definitions (DTDs) encoding a 

hierarchy of tag-value pairs in accordance with syntax of a valid response 

message\ 


1 

2 
3 


13. A method as implaim 1, 

wherein at least one of the validated request message transmitting and the 
validated response message transmitting is via a secure protocol. 


1 

2 
3 

1 

2 

1 

2 
3 


14. A method as in claim 
wherein at least one of the validated request message and the validated response 

message is encoded in *Npiarkup language. 

15. A method as in claim 1, 
wherein the security barrier includes \ firewall. 

16. A method as in claim 1, 

wherein the security barrier includes a secure communication channel between 
servers. 


1 17. In a networked computing environment, a mfethod of securing access to an 

2 information resource behind a security barrier, the methodVomprising: 

3 predefining a request message specification corresponding to a structured request 

4 language; 

5 formatting an access request in accordance with the structured request language; 
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supplying the formatted access request to a first intermediary, the intermediary 
\ validating the formatted access request in accordance with the request 

8 \ message specification; and 

9 forwardmg the validated access request across the security barrier. 

1 18. A method as in claim 17, further comprising: 

2 accessing theanformation resource in accordance with the validated access 

3 request\ 

1 1 9. A method as i^i claim 1 7, further comprising: 

2 receiving, at an application proxy, an access request targeting the information 

3 resource; and\ 

4 performing the access request formatting at the application proxy. 

1 20. A method as in claim 17\further comprising: 

2 predefining a response messages specification corresponding to a structured 

3 response language; \ 

4 formatting a response to the accessN^equest in accordance with the structured 

5 language; \^ 

6 supplying the formatted response to a second intermediary, the second 

7 intermediary validating the formatted response in accordance with the 

8 response message specification; and 

9 forwarding a validated response across the security barrier. 

\ 

1 21. A method as in claim 20, further comprising\ 

2 accessing the information resource in accordance with an access request from a 

3 client; and \ 

4 supplying the client with a response in accordance withVhe validated response. 

1 22. In a networked computing environment, a method of securing access to an 

2 information resource behind a security barrier, the method comprising: 
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3 predefining a response message specification corresponding to a structured 

4 \ response language; 

5 formatting a response to an access request targeting the information resource, the 

6 \ formatted response being in accordance with the structured response 

7 \language; 

8 supplying the formatted response to an intermediary, the intermediary validating 

9 the formatted response in accordance with the response message 

10 specification; and 

1 1 forwarding a validated response across the security barrier. 

1 23. A method as hrelaim 22, further comprising: 

2 accessing the information resource in accordance with the access request from a 

3 client; \ 

4 supplying the client with a\esponse in accordance with the validated response. 

\ 

\ 

1 24. An information security sykem comprising: 

2 a security barrier; \ 

3 a proxy for an information resource, ^he proxy and the information resource on 

4 opposing first and second sidesv respectively, of the security barrier; 

5 a data broker on the first side of the sec\jty barrier, wherein, in response to an 

6 access request targeting the information resource, the data broker validates 

7 a request message against a predefined request message specification and 

8 forwards only validated request messages across the security barrier. 

1 25. An information security system as in claim 24, further comprising: 

2 a second data broker on the second side of the security barrier, wherein, in 

3 response to an access targeting the information^ resource, the second data 

4 broker validates a response message against a predefined response 

5 message specification and forwards only validated\esponse messages 

6 across the security barrier. \ 
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26. An information security system as in claim 24, further comprising: 
the\information resource. 


2 
3 
4 
5 
6 
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27. InV networked information environment including a client and an 
information resource separated by a security barrier, an information security system 
comprising: 

means for pnkying an access request by the client targeting the information 

resounAand for preparing a request message corresponding to the access 
request in^a structured language corresponding to a predefined request 
message specification; 

means for validating the request message against the predefined request message 
specification an\forwarding only validated request messages across the 


security barrier. 


28. An information security sWem as in claim 27, further comprising: 

means for validating a response r^essage against a predefined response message 

specification and forwardin&only validated response messages across the 

security barrier. 


1 

2 


29. An information security system as in c^aim 27, further comprising: 
the security barrier. 


1 30. A computer program product encoded in computer readable media, the 

2 computer program product comprising: 

3 data broker code and parser code executable on a fir^ network server separated 

4 from an information resource by a security banter; 

5 the data broker code including instructions executable as V first instance thereof to 

6 receive access requests in a structured language corresponding to a 

7 predefined request message specification and to forwaM validated ones of 
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the access requests across the security barrier toward the information 
resource; and 

10 the\parser code including instructions executable as a first instance thereof to 

1 1 \ validate the received access requests against the predefined request 

12 Vnessage specification. 

1 31. The computer program product of claim 30, further comprising: 

2 an encodingW the predefined request message specification. 

1 32. The computer program product of claim 30, 

2 wherein the data broker code and parser code are also executable on a second 

3 network server separated from a client application by the security barrier; 

4 wherein the data broker code includes instructions executable as a second instance 

5 thereof to receive\responses in a structured language corresponding to a 

6 predefined responsevinessage specification and to forward validated ones 

7 of the responses acros^ the security barrier toward the client application; 

8 and \ 

9 wherein the parser code includes instructions executable as a second instance 

10 thereof to validate the received responses against the predefined response 

1 1 message specification. 

1 33. The computer program product of ckim 32, further comprising: 

2 an encoding of the predefined response message specification. 

1 34. The computer program product of claim sQ, further comprising: 

2 application proxy code including instructions executable to format the access 

3 requests in accordance with the structured language corresponding to the 

4 predefined request message specification. 

1 35. The computer program product of claim 30, encoded by or transmitted in at 

2 least one computer readable medium selected from the set of a disk, tape or other 
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